Want Your Coffee Machine Back? Pay a RansomResearch Highlights Danger of Insecure Firmware in Line of Coffee Machines
An internet-connected coffee machine is the latest IoT device to show security problems. The security firm Avast infected the Smarter Coffee machine with ransomware that causes uncontrollable spinning of its grinder and dispensing of hot water. The only option to stop it? Unplug the machine.
The research augments longstanding warnings about IoT: Device manufacturers are paying little attention to security while pushing devices to the market too soon, and they may not provide support for very long (see: Not the Cat's Meow: Petnet and the Perils of Consumer IoT).
Avast Senior Researcher Martin Hron describes in a blog post his reverse-engineering adventure with the first generation of the Smarter Coffee machine, made by Smarter Applications Ltd. The device went on the market around four years ago.
Hron found that he could tamper with the firmware without touching the actual device. He could also rig the device to cause its grinder to run uncontrollably and dispense hot water when a user tries to connect it to the home network.
The issues stem from the device's firmware, which can be replaced without any authorization or authentication. The bug, CVE-2020-15501, affects Smart Coffee machines before the second generation, which are no longer produced.
Hron tells ISMG that Avast did try to contact Smarter Applications through its support site but did not get a response. He says more recent models of devices made by the company have better security.
In a statement, Smarter Applications says "although updates are no longer supported for these models, we do review any legacy claims on a per customer basis in order to provide continued customer care."
"Smarter is committed to ensuring its smart kitchen range has the highest levels of security safeguards at its core, and all connected products sold since 2017 are certified to the UL 2900-2-2 Standard for Software Cybersecurity for Network-Connectable Devices," the company says.
Firmware Not Encrypted
The Smarter Coffee machines come with a mobile app that can be used to remotely trigger the process to make coffee.
The device allows people to start making coffee with the app, which is where the problems start. Smarter Coffee creates its own local Wi-Fi network using its ESP8266 chip, and that network has a very simple communication protocol, according to Avast.
"As expected, it's a simple binary protocol with hardly any encryption, authorization or authentication," Hron writes. "Communication with machines takes place on TCP port 2081."
Anyone who has access to the network can communicate with the Smarter Coffee machine, and there is no security that prevents anyone who can reach the IP address of the machine to communicate with it, Hron writes. Also, anyone who is within range of the machine can talk to it even if the machine has not yet been connected to the local Wi-Fi network.
Hron found that the firmware is stored within the mobile app. The firmware isn't encrypted, and the plaintext firmware is uploaded to the flash memory of the device, he says.
"What is so surprising here is that the update procedure doesn't use any encryption or signature of the firmware," Hron writes. "Everything is transmitted in plaintext over an unsecured Wi-Fi connection. The only check is CRC at the end."
Avast's initial goal was to infect the Coffee Machine with a cryptocurrency miner. But its processor, an ARM Cortex M0, runs at 8 MHz, which makes it unlikely to successfully mine virtual currency.
"We decided to turn the coffee maker into a ransomware machine where a certain trigger initiates the ransom message," Hron writes. "It looks completely innocent and operates normally until the trigger is hit by an attacker, making it even more surprising."
Unused memory at the end of the firmware provided a place to put malicious code. Using an ARM assembler, the researchers wrote ransomware that would be triggered when someone tried to connect a machine to the local network.
When that happens, the Smarter Coffee machine delivers a surprise. Hot water begins spewing from the machine and the bean grinder starts turning. The coffee maker also begins beeping while flashing an image of a devil's head, and a bit.ly URL leads to the ransom message, according to a demo video in the blog post.
"We thought this would be enough to freak any user out and make it a very stressful experience," Hron writes. "The only thing the user can do at that point is unplug the coffee maker from the power socket."
Older versions of the Smart Coffee machine don't require any interaction by a user to update the firmware, but if a machine has a newer version of the firmware, someone needs to push the start button to update it. But that barrier could likely be overcome with social engineering, Hron writes.
Hron writes that devices such as this coffee machine may still work if they're no longer getting the required security updates, but there are long-term effects (see: Smart Devices: How Long Will Security Updates Be Issued?) .
"We are creating an army of abandoned vulnerable devices that can be misused for nefarious purposes such as network breaches, data leaks, ransomware attack and DDoS," he writes.